470 likes | 670 Views
Industrial Strength SAT-based Alignability Algorithm for Hardware Equivalence Verification. Daher Kaiss, Marcelo Skaba, Ziyad Hanna, Zurab Khasidashvili Formal Technologies Group Intel, Israel Design Center, Haifa. Purpose.
E N D
Industrial Strength SAT-based Alignability Algorithm for Hardware Equivalence Verification Daher Kaiss, Marcelo Skaba, Ziyad Hanna, Zurab Khasidashvili Formal Technologies Group Intel, Israel Design Center, Haifa
Purpose • Sequential Equivalence Verification (SEV) as a productivity boost in hardware design • A novel method for automatic initialization of hardware design
Agenda • Problem statement • Introduction • What is Seqver? • Initialization algorithm • Experimental results • Conclusions
Problem Statement • Traditional methods for doing Formal Equivalence Verification (FEV) between RTL and Schematics are not efficient • Require one-to-one correspondence between the sequential elements in the compared models • Negative impact on the abstraction level of the RTL • Negative impact on design convergence as changes in the schematics need to be reflected in the RTL
Agenda • Problem statement • Introduction • What is Seqver? • Initialization algorithm • Experimental results • Conclusions
Introduction • Formal Equivalence Verification (FEV) is the process of verifying that the schematic is functionally equivalent to the RTL • Formal verification tools are limited in capacity and complexity • Mapping is an association between signals in the compared designs • Central role in the FEV design activity • Thus defines boundaries for decompositions
FEV flow RTL Schematics Synthesis Extraction Modify the Schematic FEV (Seqver) Map File Complex Diff Debug J Verification Passed
Traditional way of doing FEV • The designs are decomposed at the sequential elements • There is a one-to-one correspondence between the sequential elements in both designs • This method is called Combinational Equivalence Verification (CEV) RTL – Fub level Schematic – Fub level
Impact on chip design development • Detailed RTL is • Expensive to develop & maintain • Slow to validate • Error prone • Much of the design cycle deals with “tweaking” the circuit to meet timing/area/… constraints • Most of these changes should not change the visible behavior of a unit/fub. • Powerful, automatic, sequential verification can allow this tight coupling SCH-RTL to be relaxed
Sequential Equivalence Verification (SEV) • Compare designs in which there are different number of latches and/or locations of the latches RTL – Fub level Schematic – Fub level
SEV – Example 1 (Abstraction) FlipFlop based memory implementation Latch RTL A[0] A[1] A[2] Dec Out A[n] D[0..m] Latch based memory implementation Schematic Latch A[0] Latch A[1] A[2] Pre Dec Post Dec Out A[n] D[0..m]
D D D En En En D D D D SEV–Example 2 (Power saving) out RTL enable clk Schematic out enable clk
Challenges in SEV compared to CEV • SEV is considered a more complex task than CEV • In CEV, the slices are combinational, and thus methods like Binary Decision Diagrams (BDDs) or Combinational Satisfiability (SAT) checkers can be employed a a BDD SAT 0 1 0 1 b b 0 c b 0 1 0 1 1 0 1 c c c 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
D D D Challenges in SEV compared to CEV – Cont. • The most challenging question in SEV is initialization • What is the initial state of the two compared designs? • Example (retiming) RTL Schematic out out
D D D Challenges in SEV compared to CEV – Cont. • The most challenging question in SEV is initialization • What is the initial state of the two compared designs? • Example (retiming) RTL Schematic 1 1 out out 1 0 1 Mismatch
D D D Challenges in SEV compared to CEV – Cont. • The most challenging question in SEV is initialization • What is the initial state of the two compared designs? • Example (retiming) RTL Schematic 0 0 out out 0 1 0 Mismatch
Agenda • Problem statement • Introduction • What is Seqver? • Initialization algorithm • Experimental results • Conclusions
What is ‘Seqver’? • Sequential EQuivalence VERifier • It addresses the following design activities: • Formal equivalence verification of two designs with similar or different placement of state elements • State matching (combinational) and non state matching designs verification • RTL2Sch, Sch2Sch and RTL2RTL • For more information, please refer to ICCD 2006 paper
How is the initialization problem addressed in Seqver? • Automatic initialization of the designs • Seqver theory is based on the alignability theory which was first introduced by Carl Pixley (1982) • It is motivated by the fact that a power-up state of a hardware design cannot be predicted or controlled • Thus the design must be brought into a smaller set of states where the design is supposed to work correctly
Preliminaries • The unknownstate of a circuit C is the state in which all the storage elements have the undefined value X • A binarystate of a circuit C is a state in which all the state elements have binary values • An initializationsequence of C is a sequence of binary inputs which, when applied to the unknown state of C, brings C to a binary state • A resetsequence of C is a sequence of binary inputs which, when applied to any state of C, brings C to the same binary state • Without loss of generality, we will assume one circuit only that needs to be initialized • As the initialization sequence of the product machine of two given circuits C2 and C2 is an initialization sequence for each of them
Agenda • Problem statement • Introduction • What is Seqver? • Initialization algorithm • Experimental results • Conclusions
D D D Initialization algorithm • The idea is to assign the unknown value (X) on each of the sequential elements • Call formal engine to find an input sequence to the inputs that makes all the sequential element initialized with 0’s or 1’s • The theory guarantees no verification hole although the “real reboot sequence” might be different from the one found by Seqver • Example : possible initialization sequences are (A=0,B=0) (A=1,B=0) (A=0,B=1) (A=1,B=1) X A RTL Schematic A X out out X X X B B
Which formal engine to choose? • Traditional methods for initializing hardware designs are based on BDDs • Advantages: very convenient data structures • Disadvantages : very limited in terms of number of variables • We chose to use Satisfiability (SAT) based methods • Very powerful combinational and sequential engines • iProver : Intel Formal Technology SAT engines based on Eureka – world class SAT solver
Modeling challenges • Challenge: All the known SAT solvers are binary value based, while we need a three valued representation (modeling 0, 1, and X) • Solution: Dual rail modeling • Every signal is modeling using dual value (High, Low) • SAT is being applied in parallel on both the high and low rails • Due to the large similarity between the high and low rails, no overhead was observed due to this duplication Dual Rail Encoding
Modeling challenges – Cont. • Challenge: How do we model sequential behavior using propositional logic? • Solution: Every variable is represented using infinite sequence Sequential Logic Encoding • Unrolling operation of an output function up-to depth k simply means applying the Next operator k times • We denote the value of stream v at time k using v[k]
So what’s novel in our method ? • Recall that our method assumed all the sequential elements are initialized with the unknown value (X) • The main drawback of this methods is that sometimes the circuit is resettable but the described method wouldn’t find the reset sequence • Due to weakness properties of X (X AND !X = X) • The described method could find a sequence that initializes partial set of the sequential elements • A novel method was developed in order to complement this sequence
Initialization steps g1 g2 g3 p s0 s2 s5 s8 g1 g2 g3 s1 s4 s7 g3 g1 g2 s3 s6 s9 Final reset sequence is : p g1 g2 g3
Algorithm illustration p Stage 1 : Initialize all the state elements with X. Find initialization sequence p
Algorithm illustration p Stage 1 : If all the sequential elements are initialized, then we are done. Pick as p as the initialization sequence
Algorithm illustration p Stage 2 : If not all the sequential elements are initialized, then
Algorithm illustration p • Stage 2 : If not all the sequential elements are initialized, then • Build a new circuit by duplicating the original one
Algorithm illustration p • Stage 2 : If not all the sequential elements are initialized, then • Build a new circuit by duplicating the original one • Initialize the not-initialized sequential elements with different values
Algorithm illustration g1 p • Stage 2 : Try now to find a new sequence g1 that brings both models into one state • If this sequence doesn’t exist, then we are done. This model is not resettable !
Algorithm illustration g1 p Stage 2 : However is this sequence g1 really exists, then check whether this sequence initializes the models now
Algorithm illustration g2 g1 p
Algorithm illustration g2 g1 p
Agenda • Problem statement • Introduction • What is Seqver? • Initialization algorithm • Experimental results • Conclusions
Agenda • Problem statement • Introduction • What is Seqver? • Initialization algorithm • Experimental results • Conclusions
Conclusions • Sequential equivalence verification using ‘Seqver’ opens the door for raising the RTL abstraction • First large scale usage in Intel – hundreds of designers • A new approach which automates the generation of initial state for hardware designs • New sequential modeling techniques empowered with world-class combinational SAT solvers enables solving tough sequential problems like ATPG and automatic sequential property verification